The use of virtual services such as online purchases and the carrying-out of electronic transactions by this same means have led to cyber-criminals specialising in the development of malware which attacks users of these services in a selective manner.
The proliferation of viruses, worms, Trojans and all kinds of malware that specialize in stealing information from the end users of electronic services has resulted in many companies recommending their users to access these services only from fully-identified points, networks and equipment, so as to thereby reduce risks to the greatest extent possible. Unfortunately, these measures are not very useful because users go on using their equipment without any administration or control by the companies that offer electronic services. This means that when they access the services, their equipment could be at risk of being infected or could already be the victim of some type of spyware that is stealing all the users' information.
In most cases, end users of electronic services are not aware of the risks that exist when they carry out their transactions, especially via the Internet (this does not mean that risks do not exist in isolated environments). This explains why, when users see how easy it is to use shared networks (WLAN at airports, for example), they carry out transactions where they openly exchange sensitive information in these types of environment. This is where these users' computer equipment is most vulnerable because they do not know the risks that are inherent in the mere fact of using these networks, which generally give unlimited access to their equipment. This means that it can be infected with any type of spy software that waits for the right moment to execute its theft commands and send sensitive information to a third party.
In addition to the use of unsafe networks for exchanging sensitive information online, unknown computer equipment is also used (Internet cafés, for example), which could have been manipulated by more than one user during its useful life, thereby increasing the risk of infection and making it more likely that the equipment is infected with some type of spyware.
A further interesting point, and one that is becoming more and more common, is the use of social engineering techniques. Although this problem is outside the technological field, it is much more worrying than any other as it is the way that most information is lost, which is then subsequently used to commit offences in the name of third parties.
Companies that provide computer services have concentrated on guaranteeing their investment, that is, their equipment. When attacks commence, they set out to damage the companies' servers so that they cannot provide their services, take them offline, and in the worst case scenario, supplant them and thus be able to steal information.
Companies' policies tend to restrict users to known access scenarios, limiting the convenience they would otherwise enjoy of using the services anywhere and through any network and thus eliminating the very aim of mobile technology.
Companies' user education policies make the end user responsible for access point security (user computer equipment, network used, etc.). Actions such as using and maintaining an antivirus (keeping lists up-to-date, using licensed software, and other restrictions) are advised, but not controlled by companies. This is why users continue having fraud problems. Most of users are not knowledgeable enough to make use of the best practices recommended by companies that provide them with their electronic services.
The technology industry has made a positive contribution towards users getting a growing sense of security. One of the most widely-accepted security methods is using tokens, or One-Time Passwords (OTP). An OTP is a tool that aims to improve user security levels at the point of authentication and when information is exchanged with computer applications.
These tokens are an important tool, but they have a series of disadvantages, mostly related to the logistics of administering them, since they represent a cost for companies and in most cases this cost is passed on to end users who, in turn, are unwilling to bear it. Furthermore, malware, which specialises in these devices (more precisely, in stealing the password they generate), has been developed over the last two years, meaning that this technology is no longer a mechanism that marks the difference in terms of end user security because the password can now be reproduced without users realising. By way of example, there is a type of malware called ZeuS, which possesses a large family of executable files that specialise in stealing these passwords, and it has therefore become a great success in the information theft field.
Another security method that is widely used by end users in computer transactions is antivirus software. The most serious problem with this is that it is unable to provide protection against unknown viruses. This enables new viruses to have a window of exposure—i.e. a period of time during which they can spread rapidly before the antivirus software is adapted and updated in order to detect their existance and stop them. Based on the matters described in this document, products exist on the market that aim to provide security of information solutions at the end point, namely the equipment used by the user of the transaction applications. These products include anti-malware suites; antivirus software such as Symantec's Norton Antivirus™, Panda Antivirus™ by Panda Software, Kaspersky's Kaspersky Anti-Virus™, Avira's Avira Antivirus™, Avast™, etc. And in the field of anti-spyware, software which fights spy software includes Ad-Aware SE Personal™, Spybot—Search & Destroy™, and SpywareBlaster.
There are also software programmes that allow information to be made secure when Internet browsers are being used, such as ZoneAlarm™ by Checkpoint. In addition to combining antivirus and anti-spyware, these browsers have a security arrangement for them not to permit software of the type known as loggers to be executed while the browser is being used. However, as mentioned above, these programmes are aimed at users who want to make their information secure and are not provided by companies that advertise their services online. Thus leaving millions of users without protection, even if only partially, because they do not have the technological means or knowledge to implement any of these solutions or cannot afford to do so. It should also be pointed out that most of these solutions are only partially effective.
Other solutions, such as the one mentioned in document U.S. Pat. No. 7,725,737B2 which belongs to Check Point Software Technologies, Inc., describe the procedure for providing security at the end point of a transaction. The method creates a secured workspace within an existing operating system for allowing users to run applications in a secured manner, based on a series of policies that can be configured by the user himself. The use of hooks manages certain communications between applications and the Operating System (OS). Information generated within the secured workspace is encoded, so that it can only be viewed from there.
The U.S. Pat. No. 7,725,737B2 describes a method for providing security that is aimed at the whole range of existing electronic devices although it refers directly to how to construct secure applications only in computers with a Windows™ OS. This method allows for the possibility of configuring security levels, thereby enabling transactions carried out under this configuration to be infected by malware and the system in which the method is being executed to thus be rendered insecure. The use of the method in the user's equipment requires the installation of administrator permits for the transactions to be carried out. If the user of the equipment does not have these permits, the method cannot be used.
Everything executed in the secured workspace described in the method is encoded and stored, and this could allow hackers to reconstruct information that is on the disc and also seriously affect equipment performance, thus in turn affecting the experience of the end user. This method also requires an external component to validate the minimum policies required for executing the secured workspace, thereby limiting the possibility of implementing the solution only for corporate sectors, where the end connection points possess a control level from the company which provides the transaction application service.
The method described in the present invention, on the other hand, does not give the user the power to choose his security levels eliminating any possibility of attacks on the end user. When users are able to manipulate security levels in an application, these levels are generally not the best ones for the end user's needs because he (the user) does not have the necessary technical knowledge to establish the most appropriate security configuration for his equipment. Not allowing the user to configure security allows the company that implements the method proposed in this invention to have a lower risk margin than that provided by other methods, where users configure their own security.
Among the widely-known methods for providing security at the end point in a transaction is the virtualisation of services and complete OS, where the malware residing in the normal user setting does not attack the virtual environment. Two examples of this method are described in documents US2004/0236874A1 and US2010/0005531A1. These patents disclose how a complete virtualisation of an alternative OS to the user's original is performed which is capable of existing side by side and being executed at the same time as the end user's original OS. These methods, which are well-known in the industry for their efficiency in protecting users, cannot be implemented in any environment. The hardware in users' equipment needs to have certain technical characteristics in order to meet the minimum requirements that these methods demand. The user also needs to have a relatively high level of knowledge in order to configure the virtualisation methods, since carrying out a virtualisation of an OS is much more complex than doing the same thing with a service. Virtualisation of an OS also requires a series of physical resources, such as hard disc storage, a major portion of the RAM memory for executing it, and interfaces (drivers or controllers) which enable various peripheral devices to be used, such as a keyboard, cursor, or even printers. These resources are generally limited for end users, since they do not have equipment with such a high computing capacity.
The concept of providing security changes with mobile devices, as a result of the end user application delivery strategies. In the specific case of the Apple IOS and the Google™ Android, the manufacturers of these OSs have taken special care to offer a secure environment of their own instead of leaving the user in the hands of third parties to guarantee their security, according to a recent study conducted by Symantec in June 20111.
The threats to the security of users' sensitive information in mobile devices are hard to exploit and correct because they occur less often than in PCs, as a result of the control that is exercised by the manufacturers over the applications they deliver to end users. However, this does not mean that hackers cannot obtain information from the end users. Apple, for example, is one of the manufacturers that has taken the most care with security in its mobile devices, by defining a series of policies and conditions for creating applications that are executed in those devices. In the case of Apple, five (5) standards have been established which have to be verified before an application can be available to users, namely:                (i) traditional access control, access via password and blocking screen with timer, (ii) application origin, which means that the creator and publisher of the application are checked, (iii) data encoding, with each application being required to encode the information it administers so that others are not capable of reading it, (iv) isolation of applications, where applications cannot share execution spaces; in other words, they cannot share RAM memory, meaning that applications cannot access information that is being executed in another scenario, and (v) access control via permits (that is, administering access by applications to information through permits and blocking if an attempt is made to exceed the limit).        